Precautionary steps to take against Log4j vulnerability (CVE-2021-44228 , CVE-2021-45046 and CVE-2021-45105)

Precautionary steps to take against Log4j vulnerability (CVE-2021-44228 , CVE-2021-45046 and CVE-2021-45105)

This post has been updated on 20/12/2021.

Hello there,


In Exchange Reporter Plus, the affected log4j version is used in the bundled dependency. Our security experts are analyzing the issue and as of now, we have no conclusive evidence of our product being affected by it. However, we strongly recommend all our customers to follow the below steps as a precautionary measure.


Precautionary steps to take against this vulnerability:


Step 1: Stop Exchange Reporter Plus.


Step 2: Go to <Exchange Reporter Plus installation directory>\elasticsearch\lib folder.


Step 3: Locate and save a backup of the below mentioned files, and remove them from the lib folder.


log4j-1.2-api-2.11.1.jar


log4j-api-2.11.1.jar


log4j-core-2.11.1.jar


(or)


log4j-1.2-api-2.16.0.jar


log4j-api-2.16.0.jar


log4j-core-2.16.0.jar


Step 4: Download and extract the below mentioned files from this zip and add them in <Exchange Reporter Plus installation directory>\elasticsearch\lib folder


log4j-1.2-api-2.17.0.jar


log4j-api-2.17.0.jar


log4j-core-2.17.0.jar


Step 5: Navigate to <Exchange Reporter Plus installation directory>\elasticsearch\plugins\search-guard-6 folder.


Step 6: Locate and save a backup of the log4j-slf4j-impl-2.11.1.jar or log4j-slf4j-impl-2.16.0.jar file, and remove the same from the search-guard-6 folder. 


Step 7: Download log4j-slf4j-impl-2.17.0.jar file from here and add it in <Exchange Reporter Plus installation directory>\elasticsearch\plugins\search-guard-6 folder.


Step 8: Start Exchange Reporter Plus.


Note: As per the latest update from Apache, there is no need to perform the previous workarounds listed below (modifying jvm.options file and wrapper.conf files). Apache has released a .jar file which can mitigate against this vulnerability. 


Old workaround suggested by Apache which is now redundant:

 

Step 1: Stop Exchange Reporter Plus.

Step 2: Navigate to <Installation folder>\Exchange Reporter Plus\elasticsearch\config and take backup of jvm.options

Step 3: Edit the jvm.options and add the following as displayed in the image and save the file

-Dlog4j2.formatMsgNoLookups=true

 


Step 4: Navigate to <Installation folder>\Exchange Reporter Plus\conf

Step 5: Take backup of wrapper.conf

Step 6: Edit wrapper.conf and add the following as displayed in the image and save the file

-Dlog4j2.formatMsgNoLookups=true

 

Step 7: Start the Exchange Reporter Plus